GitHub

BCC is a toolkit for creating efficient kernel tracing and manipulation programs built upon eBPF, and includes several useful command-line tools and examples. BCC eases writing of eBPF programs for kernel instrumentation in C, includes a wrapper around LLVM, and front-ends in Python and Lua. It also provides a high-level library for direct integration into applications.

Website | GitHub

bpftrace is a high-level tracing language for Linux eBPF. Its language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap. bpftrace uses LLVM as a backend to compile scripts to eBPF bytecode and makes use of BCC as a library for interacting with the Linux eBPF subsystem as well as existing Linux tracing capabilities and attachment points.

Website | GitHub

Calico Open Source is designed to simplify, scale, and secure container and Kubernetes networks. Calico’s eBPF dataplane utilizes the power, speed, and efficiency of eBPF programs to deliver networking, load-balancing, and in-kernel security enforcement for your environment.

Website | GitHub

Cilium is an open source project that provides eBPF-powered networking, security and observability. It has been specifically designed from the ground up to bring the advantages of eBPF to the world of Kubernetes and to address the new scalability, security and visibility requirements of container workloads.

Website | GitHub

Falco is a behavioral activity monitor designed to detect anomalous activity in applications. Falco audits a system at the Linux kernel layer with the help of eBPF. It enriches gathered data with other input streams such as container runtime metrics and Kubernetes metrics, and allows to continuously monitor and detect container, application, host, and network activity.

Website | GitHub

Katran is a C++ library and eBPF program to build a high-performance layer 4 load balancing forwarding plane. Katran leverages the XDP infrastructure from the Linux kernel to provide an in-kernel facility for fast packet processing. Its performance scales linearly with the number of NIC’s receive queues and it uses RSS friendly encapsulation for forwarding to L7 load balancers.

GitHub

Tetragon provides eBPF-based transparent security observability combined with real-time runtime enforcement. The deep visibility is achieved without requiring application changes and is provided at low overhead thanks to smart Linux in-kernel filtering and aggregation logic built directly into the eBPF-based kernel-level collector. The embedded runtime enforcement layer is capable of performing access control on kernel functions, system calls and at other enforcement levels.

Website | Git Trees | Mailing List | Patches | CI | Office Hours | Docs

The Linux kernel contains the eBPF runtime required to run eBPF programs. It implements the bpf(2) system call for interacting with programs, maps, BTF and various attachment points where eBPF programs can be executed from. The kernel contains a eBPF verifier in order to check programs for safety and a JIT compiler to translate programs to native machine code. User space tooling such as bpftool and libbpf are also maintained as part of the upstream kernel.

Website | Git Repo | Mailing List | Compiler Explorer | Bugtracker | Docs

The GCC compiler comes with an eBPF backend starting from GCC 10. Up to that point, LLVM has been the only compiler which supports generating eBPF ELF files. The GCC port is roughly equivalent to the LLVM eBPF support. There are some missing bits of functionality but the GCC community is working to close these gaps over time. GCC also contains eBPF binutils as well as eBPF gdb support for debugging of eBPF code that is traditionally consumed by the Linux kernel. Included as part of this is an eBPF simulator for gdb.

Website | GitHub | Patches | Bugtracker

The LLVM compiler infrastructure contains the eBPF backend required to translate programs written in a C-like syntax to eBPF instructions. LLVM generates eBPF ELF files which contain program code, map descriptions, relocation information and BTF meta data. These ELF files contain all necessary information for eBPF loaders such as libbpf to prepare and load programs into the Linux kernel. The LLVM project also contains additional developer tools such as an eBPF object file disassembler.

Website | GitHub | Office Hours | Slack Channel

The eBPF for Windows project is a work-in-progress that allows using existing eBPF toolchains and APIs familiar in the eBPF ecosystem to be used on top of Windows. That is, this project takes existing eBPF projects as submodules and adds the layer in between to make them run on top of Windows.

GitHub

A conformance testing framework for eBPF runtime implementations. It provides a set of tests that can be used to verify that an eBPF implementation is compliant with the eBPF specification.

Website | GitHub

An extended Berkley Packet Filter CPU implemented in hardware on FPGA. In contrast to classic HDL languages like Verilog or VHDL, Migen/LiteX (both based on Python) where used. Supports custom extensions to ‘call’ opcode and includes full test suite for each opcode for included emulator and simulator as well as for included hardware targets.

GitHub

A polynomial-time eBPF verifier supporting bounded loops based on abstract interpretation.

Docs | Crate | GitHub

Running in user space, rbpf provides a cross-platform eBPF interpreter and a JIT-compiler for x86-64, implemented in Rust. It was initially a port of uBPF to Rust.

GitHub

An eBPF runtime that permits execution of eBPF programs in user mode, with support for an interpreter as well as JIT compilation of eBPF programs on x86-64 and ARM64 architectures. This project supports running on Windows, macOS, and Linux platforms.

Major: ebpf
Emerging: libbpfgo

eBPF is designed as a pure Go library that provides utilities for loading, compiling, and debugging eBPF programs. It has minimal external dependencies and is intended to be used in long running processes.

libbpfgo is a Go wrapper around libbpf. It supports BPF CO-RE and its goal is to be a complete implementation of libbpf APIs. It uses CGo to call into linked versions of libbpf.

Major: libbpf

libbpf is a C/C++ based library which is maintained as part of the upstream Linux kernel. It contains an eBPF loader which takes over processing LLVM generated eBPF ELF files for loading into the kernel. libbpf received a major boost in capabilities and sophistication and closed many existing gaps with BCC as a library. It also supports important features not available in BCC such as global variables and BPF skeletons.

Website | GitHub

Apache SkyWalking is an application performance monitor tool for distributed systems, especially designed for microservices, cloud native and container-based (Kubernetes) architectures. SkyWalking Rover is an agent in the SkyWalking ecosystem, as a metrics collector and profiler powered by eBPF to diagnose CPU, I/O and L4/L7(TLS) network performance. Also, Rover provides add-on events for spans in the distributed tracing.

GitHub

Blixt is a layer 4 load-balancer for Kubernetes. It has a control-plane implemented using Gateway API and a data-plane built using eBPF and Rust.

Website | GitHub

bpfd is a system daemon aimed at simplifying the deployment and management of eBPF programs. It’s goal is to enhance the developer-experience as well as provide features to improve security, visibility and program-cooperation. bpfd includes a Kubernetes operator to bring those same features to Kubernetes, allowing users to safely deploy eBPF via custom resources across nodes in a cluster.

GitHub

BumbleBee simplifies building eBPF tools and allows you to package, distribute, and run eBPF programs using OCI images. It allows you to just focus on the eBPF portion of your code and BumbleBee automates away the boilerplate, including the userspace code.

GitHub

Caretta is a Kubernetes service map that uses eBPF to trace network traffic between pods. It can be used to visualize the network traffic between services in a Kubernetes cluster, and gain additional insights into the network traffic and the relationships between services.

Website | GitHub

DeepFlow is a highly automated observability platform built for cloud native developers. Based on eBPF, DeepFlow innovatively implements an automated distributed tracing mechanism: AutoTracing. Microservice processes, service mesh sidecars, and network interfaces along the way are included as tracing spans, for every distributed transaction, without any code instrumentation. DeepFlow can automatically generate golden RED metrics for any process in cloud native environment.

Website | GitHub

Eunomia-bpf is a dynamic loading library, based on libbpf, and a compiler toolchain. Eunomia-bpf simplifies building eBPF tools and allows you to package, distribute, and run eBPF programs in JSON format or as a WASM module. With eunomia-bpf, you can write kernel eBPF code and automatically expose your data from the kernel and interact with eBPF program in user space with a WASM runtime.

Website | GitHub

eCapture is a Go language-written tool that can capture HTTPS/TLS plaintext without a CA certificate. It supports TLS encryption libraries such as openssl, boringssl, gnutls, and nspr. It can run on x86_64 CPU architectures with Linux kernel 4.18 or higher, and aarch64 CPU architectures with Linux/Android kernel 5.5 or higher, supporting both CO-RE and non-CO-RE modes without BTF.

Website | GitHub

Hubble is a fully distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner.

Website | GitHub

Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes resources and applications. It manages the packaging, deployment and execution of eBPF programs in a Kubernetes cluster, including many based on BCC tools, as well as some developed specifically for use in Inspektor Gadget. It automatically maps low-level kernel primitives to high-level Kubernetes resources, making it easier and quicker to find the relevant information.

Website | GitHub

Kepler (Kubernetes-based Efficient Power Level Exporter) is a Prometheus exporter. It uses eBPF to probe CPU performance counters and Linux kernel tracepoints. These data and stats from cgroup and sysfs are fed into ML models to estimate energy consumption by Pods.

Website | GitHub

Kindling is a monitoring tool that aims to help users understand the execution behavior of programs from kernel space to user space to pinpoint the root cause of critical incidents. It can obtain L4/L7 network performance metrics and build service maps. Kindling implements a mechanism, Trace Profiling, that can display how each trace is executing on-CPU with thread-level flame graph, and how it is slowed down by off-CPU events with related metrics.

Website | GitHub

KubeArmor is a container-aware runtime security enforcement system that restricts the behavior (such as process execution, file access, networking operation, and resource utilization) of containers at the system level, using LSMs and eBPF.

GitHub

kubectl-trace is a kubectl plugin that allows for scheduling the execution of bpftrace(8) programs in Kubernetes clusters. kubectl-trace does not require installation of any components directly onto a Kubernetes cluster in order to execute bpftrace programs. When pointed to a cluster, it schedules a temporary job called trace-runner that executes bpftrace.

Website | GitHub

L3AF is a platform to launch and manage eBPF programs in distributed environments. L3AF empowers users to compose multiple eBPF programs together to solve unique problems in different environments. Using the APIs provided by L3AF, these eBPF programs can be reconfigured, updated, inspected, and reordered on-the-fly. L3AF also provides configurable metrics for the eBPF programs it has launched.

Website | GitHub

LoxiLB is an open-source cloud-native “external” service load-balancer for cloud-native 5G/edge workloads written from scratch using eBPF as its core-engine and based on Go Language. LoxiLB turns Kubernetes network load balancing for 5G/Edge services into high speed, flexible and programmable LB services.

Website | GitHub

Merbridge is designed to make traffic interception and forwarding more efficient for service mesh. With Merbridge, developers can use eBPF instead of iptables to accelerate their service mesh without any additional operations or code changes. Currently, Merbridge already supports Istio, Linkerd, and Kuma.

Website | GitHub

Track memory, CPU, I/O bottlenecks broken down by method name, class name, and line number over time. Without complex overhead, in any language or framework. Using Parca’s UI the data can be globally explored and analyzed using various visualizations to quickly and efficiently identify bottlenecks in code. Parca uses eBPF to collect profiling data and uses libbpf-go to interact with the kernel.

Website | GitHub

Pixie is an open source observability tool for Kubernetes applications. Pixie uses eBPF to automatically capture telemetry data without the need for manual instrumentation. Developers can use Pixie to view the high-level state of their cluster (service maps, cluster resources, application traffic) and also drill down into more detailed views (pod state, flame graphs, individual full body application requests).

Website | GitHub

ply is a dynamic tracer for Linux which is built upon eBPF. It has been designed with embedded systems in mind, is written in C and all that ply needs to run is libc and a modern Linux kernel with eBPF support, meaning, it does not depend on LLVM for its program generation. It has a C-like syntax for writing scripts and is heavily inspired by awk(1) and dtrace(1).

Website | GitHub

Pulsar is an event-driven framework for monitoring the activity of Linux devices. It allows you to collect runtime activity events from the Linux kernel through its modules and evaluate each event against your own set of security policies. Powered by eBPF and written in Rust, Pulsar is lightweight and safe by design.

GitHub

pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.

Website | GitHub

Pyroscope is an open source project centered around continuous profiling, particularly in a Kubernetes context. It leverages eBPF as its core technology along with a custom storage engine to offer system-wide continuous profiling with minimal overhead as well as efficient storage and querying capabilities. We support Linux 4.9 and up thanks to CO-RE and libbpf.

Website | GitHub

SSHLog is a Linux daemon written in C++ and Python that monitors OpenSSH servers via eBPF. The agent passively records all SSH session activity (commands and output) to log files for any connecting user. Administrators can also share an SSH session with any logged in user. Actions may be triggered based on SSH behavior such as posting a Slack message when a remote user attempts to gain root access.

GitHub

Sysmon for Linux is a tool that monitors and logs system activity including process lifetime, network connections, file system writes, and more. Sysmon works across reboots and supports advanced filtering to help identify malicious activity as well as how intruders and malware operate on your network.

GitHub

Tracee uses eBPF technology to detect and filter operating system events, helping you expose security insights, detect suspicious behavior, and capture forensic indicators.

Website | GitHub

Wachy is a profiler that uses eBPF to trace arbitrary compiled binaries and functions at runtime. It aims to make eBPF uprobe-based debugging much easier to use by displaying traces in a UI next to the source code, and allowing interactive drilldown analysis.